We caught an interesting paragraph within Air Canada's breach notification letter that the airline posted to its website this week.
And it drives home something crucial about cybersecurity: to the customer, cybersecurity could probably be defined as "trust."
In fact, this topic reminds me of an interview I did with US Bank CISO Jason Witty at SecureWorld Twin Cities last year. This is what he said:
"The number one thing I’m focused on is the trust of our customers and maintaining that trust. There is a very large amount of things we do to keep that objective. That’s really the main focus, recognizing that information security is all about trust."
Right now, Air Canada customers may be a little low on trust for their airline.
You may have heard that Air Canada's mobile app had a relatively small breach of about 20,000 app user accounts. However, the types of information potentially exposed runs deep:
• name
• email address
• telephone number
• Aeroplan number
• Passport number
• NEXUS number
• Known Traveler Number
• gender
• birthdate
• nationality
• passport expiration date
• passport country of issuance
• country of residence
Air Canada locked out all app accounts and forced a password reset of all 1.7 million of its users, which overwhelmed systems.
The airline posted a special note to "try again in a few hours" because of the volume of password changes. The IT team was probably going crazy over that one, and we noticed customers were sounding off on Twitter about their frustrations.
But the most unique thing about the Air Canada breach notification letter was the section on its security and trust. The airline hit the topic head-on.
See what you think about this, from the airline's FAQs about the breach:
[Q] Can I trust Air Canada’s mobile App and its other systems?
[A] The security of Air Canada’s systems is of paramount importance, and Air Canada takes security of its customers’ privacy and data very seriously. Air Canada approaches security in a multi-layered manner, and we also work with leading cyber security and industry experts to detect irregularities and take action quickly. We continuously improve our practices as technology and security practices evolve. Customers can continue to use Air Canada’s mobile App and mobile products with confidence.
This statement alone raises other questions: Should they have simply said "yes" in answer to the question?
Does this sound like corporate boilerplate "we care about your security" language, or does it come across as sincere?
And was this the right time to address the question, since customers' trust had just been broken?
It's something to think about for your incident response plan. Because to customers, cybersecurity and trust have become synonymous.